diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml
index ef689c5cbad4..1eef4f08c4fd 100644
--- a/nixos/doc/manual/release-notes/rl-2003.xml
+++ b/nixos/doc/manual/release-notes/rl-2003.xml
@@ -407,6 +407,44 @@ users.users.me =
the type to either path (submodule ...).
+
+
+ The Buildkite Agent
+ module and corresponding packages have been updated to 3.x.
+ While doing so, the following options have been changed:
+
+
+
+
+ services.buildkite-agent.meta-data has been renamed to
+ services.buildkite-agent.tags,
+ to match upstreams naming for 3.x.
+ Its type has also changed - it now accepts an attrset of strings.
+
+
+
+
+ Theservices.buildkite-agent.openssh.publicKeyPath option
+ has been removed, as it's not necessary to deploy public keys to clone private
+ repositories.
+
+
+
+
+ services.buildkite-agent.openssh.privateKeyPath
+ has been renamed to
+ buildkite-agent.privateSshKeyPath,
+ as the whole openssh now only contained that single option.
+
+
+
+
+ services.buildkite-agent.shell
+ has been introduced, allowing to specify a custom shell to be used.
+
+
+
+
diff --git a/nixos/modules/services/continuous-integration/buildkite-agent.nix b/nixos/modules/services/continuous-integration/buildkite-agent.nix
index e996680bedaf..3c9c92bf0527 100644
--- a/nixos/modules/services/continuous-integration/buildkite-agent.nix
+++ b/nixos/modules/services/continuous-integration/buildkite-agent.nix
@@ -74,13 +74,12 @@ in
'';
};
- meta-data = mkOption {
- type = types.str;
- default = "";
- example = "queue=default,docker=true,ruby2=true";
+ tags = mkOption {
+ type = types.attrsOf types.str;
+ default = {};
+ example = { queue = "default"; docker = "true"; ruby2 ="true"; };
description = ''
- Meta data for the agent. This is a comma-separated list of
- key=value pairs.
+ Tags for the agent.
'';
};
@@ -93,26 +92,19 @@ in
'';
};
- openssh =
- { privateKeyPath = mkOption {
- type = types.path;
- description = ''
- Private agent key.
+ privateSshKeyPath = mkOption {
+ type = types.path;
+ ## maximum care is taken so that secrets (ssh keys and the CI token)
+ ## don't end up in the Nix store.
+ apply = final: if final == null then null else toString final;
- A run-time path to the key file, which is supposed to be provisioned
- outside of Nix store.
- '';
- };
- publicKeyPath = mkOption {
- type = types.path;
- description = ''
- Public agent key.
+ description = ''
+ OpenSSH private key
- A run-time path to the key file, which is supposed to be provisioned
- outside of Nix store.
- '';
- };
- };
+ A run-time path to the key file, which is supposed to be provisioned
+ outside of Nix store.
+ '';
+ };
hooks = mkHookOptions [
{ name = "checkout";
@@ -181,6 +173,14 @@ in
instead.
'';
};
+
+ shell = mkOption {
+ type = types.str;
+ default = "${pkgs.bash}/bin/bash -e -c";
+ description = ''
+ Command that buildkite-agent 3 will execute when it spawns a shell.
+ '';
+ };
};
};
@@ -210,20 +210,18 @@ in
## don't end up in the Nix store.
preStart = let
sshDir = "${cfg.dataDir}/.ssh";
- metaData = if cfg.meta-data == ""
- then ""
- else "meta-data=${cfg.meta-data}";
+ tagStr = lib.concatStringsSep "," (lib.mapAttrsToList (name: value: "${name}=${value}") cfg.tags);
in
''
mkdir -m 0700 -p "${sshDir}"
cp -f "${toString cfg.openssh.privateKeyPath}" "${sshDir}/id_rsa"
- cp -f "${toString cfg.openssh.publicKeyPath}" "${sshDir}/id_rsa.pub"
chmod 600 "${sshDir}"/id_rsa*
cat > "${cfg.dataDir}/buildkite-agent.cfg" <